South Korea attacks – Analysis on how the attackers accessed the networks, by Jaime Blasco

March 22, 2013

South Korean attacks on financial institutes and the media industry : Jaime Blasco, Labs Director at AlienVault comments on how the wiper malware works and how they may have got access to the affected networks.

Other companies have published information about the wiper payloads but no one is giving information about how the attackers gained access to the affected networks. To execute the payload the attackers would have had to gain access to the companies somehow and execute the wiping routine at the same time in the affected computers.

If the goal of the attackers was to create panic it means they did not have a specific list of victims. From my point of view one of the easiest ways to gain access to several targets without having too much resources/skills would be:

Buy an exploit kit and a malware kit, hack into websites and redirect victims to your malicious infrastructure.

or even better:

Rent a botnet(s) that have access to hundreds of computers and try to find victims inside interesting targets.

Basically, it clears the DNS cache for Internet Explorer and modifies the etc/hosts file adding new entries. When the victim resolves the South Korean bank’s domain names included in the modified “etc/hosts” file, the domains will point to 103.14.114.156.

It seems the malware is also starting the Task Scheduler service using the command “net start Task Scheduler” probably to create some tasks with malicious purposes. Finally it creates an autostart registry key to maintain persistence.

The malware connects to the host home1[.]hades08[.]com (126.7.217.163)

We have found several samples with the same behaviour and using the same filename (imbc.exe) and connecting to similar C&C servers, examples:

home2[.]hades08[.]com (126.7.217.163)

home3[.]hades08[.]com (126.7.217.163)

Other suspicious binaries matching the patterns we were looking for and submitted from South Korea in the last few days were:

All the files we mentioned are from the same malware family for sure, they have very similar behaviours with some slight differences and their filenames match with the list we found in the South Korean news. Some vendors call this family Win32.Morix.

Chinese packer/language

The domain hades08[.]com was registered by smokeno@163.com a week ago.

The domain registrant for asdasd2012[.]com is also smokeno@163.com and it was registered a day after hades08[.].com

The relationship is obvious because dl[.]hades08[.]com is know pointing to the same IP address as mb[.]asdasd2012[.]com (126.7.217.163)

According to Google, the domain asdasd2012[.]com has infected 4 domains in the past 90 days including a South Korean website, appstory.co.kr.

On the other hand if we get the IP address of the C&C server for the sample with filename v3lite.exe we previously mentioned, 121.156.58.135.

Using passive DNS we can found the following subdomains of frcvb[.]com pointed to that IP in the last few days:

tt[.]frcvb[.]com A 121[.]156[.]58[.]135
aaa[.]frcvb[.]com A 121[.]156[.]58[.]135
qqq[.]frcvb[.]com A 121[.]156[.]58[.]135
ttt[.]frcvb[.]com A 121[.]156[.]58[.]135
zzz[.]frcvb[.]com A 121[.]156[.]58[.]135

The fact is we could probably show you dozens of domains hosting versions of the GonDad exploit kit, affecting South Korean websites and related with the malware family we have been talking about.

It means that hundreds of South Korean websites are pointing to the GonDad exploit kit and probably thousands of South Korean users have been compromised and they are part of a botnet.

If the people behind yesterday’s South Korean attacks had access to some of the infrastructure we have detailed in the blog post, they could have gained access to hundreds if not thousands of South Korean systems and then they could have chosen which of the compromised systems were in interesting companies. Then they could have manually upload another payload to each of the systems and they could have performed lateral movement to own the network. Once they are in the network they can easily execute the wiping payload.

You should take into account that this is only a theory and it could even be a very small part of the entire infrastructure they could have used. Maybe this is only an example and they also bought the service or access to other Exploit kits/botnets as well (Blackhole, Zeus, Koobface…).

On the other hand both the Exploit kit and the malware mentioned seem to come from China but the attackers could have bought/rent it in the black market. The addresses used to register some of the related domain names were also Chinese ones.